Schools that compel students to use commercial cloud services for email and documents are putting privacy at risk, says a campaign group calling for strict controls on the use of such services in education.

A core problem is that cloud providers force schools to accept policies that authorize user profiling and online behavioral advertising. Some cloud privacy policies stipulate that students are also bound by these policies, even when they have not had the opportunity to grant or withhold their consent, said privacy campaign group SafeGov.org in a report released on Monday.

There is also the risk of commercial data mining. “When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served,” the report said.

Furthermore, by failing to create interfaces that distinguish between ad-free and ad-supported versions, students may be lured from ad-free services for school use to consumer ad-driven services that engage in highly intrusive processing of personal information, according to the report. This could be the case with email, online video, networking and basic search.

Also, contracts used by cloud providers don’t guarantee ad-free services because they are ambiguously worded and include the option to serve ads, the report said.

SafeGov has sought support from European Data Protection Authorities (DPAs), some of which endorsed the use of codes of conduct establishing rules to which schools and cloud providers could voluntarily agree. Such codes should include a binding pledge to ban targeted advertising in schools as well as the processing or secondary use of data for advertising purposes, SafeGov recommended.

“We think any provider of cloud computing services to schools (Google Apps and Microsoft 365 included) should sign up to follow the Codes of Conduct outlined in the report,” said a SafeGov spokeswoman in an email.

Even when ad serving is disabled the privacy of students may still be jeopardized, the report said.

For example, while Google’s policy for Google Apps for Education states that no ads will be shown to enrolled students, there could still be a privacy problem, according to SafeGov.

“Based on our research, school and government customers of Google Apps are encouraged to add ‘non-core’ (ad-based) Google services such as search or YouTube, to the Google Apps for Education interface, which takes students from a purportedly ad-free environment to an ad-driven one,” the spokeswoman said.

“In at least one case we know of, it also requires the school to force students to accept the privacy policy before being able to continue using their accounts,” she said, adding that when this is done the user can click through to the ad-supported service without a warning that they will be profiled and tracked.

This issue was flagged by the French and Swedish DPAs, the spokeswoman said.

In September, the Swedish DPA ordered a school to stop using Google Apps or sign a reworked agreement with Google because the current terms of use lacked specifics on how personal data is being handled and didn’t comply with local data laws.

However, there are some initiatives that are encouraging, the spokeswoman said.

Microsoft’s Bing for Schools initiative, an ad-free, no cost version of its Bing search engine that can be used in public and private schools across the U.S., is one of them, she said. “This is one of the things SafeGov is trying to accomplish with the Codes of Conduct—taking out ad-serving features completely when providing cloud services in schools. This would remove the ad-profiling risk for students,” she said.

Microsoft and Google did not respond to a request for comment.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.